I am looking into using EFS (Encrypting File System) at file/folder level on Windows 7.

I read Wikipedia article on EFS and it does mention several vulnerabilities related to Windows 2000 and XP. Apparently they have been fixed in later OS versions.

Then I found this tool (Advanced EFS Data Recovery, AEFSDR): http://www.elcomsoft.com/aefsdr.html that allows to decrypt EFS encrypted files in some cases. I am now trying to understand just how vulnerable EFS is on Windows 7 is when this tool is used.

AEFSDR product page mentions Windows 2000 vulnerability that can be ignored. Other than that it doesn't have a lot of details.

Advanced EFS Data Recovery allows one to decrypt files even if the user database is protected with SYSKEY. First, AEFSDR searches for all EFS keys, scanning the hard drive sector by sector. After the user has entered the user password into the program, the software decrypts the keys, or at least one key, needed for decryption of user’s encrypted data. On the second stage AEFSDR looks for EFS-encrypted files in the file system and attempts to recover them. The recovery rate is usually very high, 99% or more.

So user password had to be entered. I assume that was a password for Windows User account.

My question is this: consider the laptop with EFS encrypted files/folder was stolen and it was shut down at the time (completely off, not in sleep/hibernate mode). No user passwords are available for intruder but the hard drive can obviously be removed and accessed by another computer. Will it be possible to decrypt any of the files?

Yep... nobody ever thought EFS was particularly secure, but they persisted. If you really need disk encryption, take the control out of Microsoft's hands and install TrueCrypt.
–
digitxpAug 30 '11 at 19:19

1

+1 for TrueCrupt. I use it on my laptop, which quite solidly secures it whether it's completely shut down or just hibernating. And if you're set to require a password to resume from sleep, the typical approach to bypassing that is to shut down the computer, and either boot from a CD or yank the hard drive and attach it to another computer to access it -- which is rendered all but impossible by TrueCrypt, making even sleep mode pretty effective against attack! (That said, shut down or hibernate is still safer by far.)
–
KromeyAug 30 '11 at 19:30

1

EFS is as secure as the encryption algorithms it uses. If you had no password or a weak password on your laptop, then attackers would be able to gain access using that. Same thing goes if your computer is encrypted with TrueCrypt and they get a hold of the password. Might also mention that even the people behind TC aren't willing to vouch for it's security. Microsoft does vouch for EFS. As for the Elcomsoft product, I'm very sceptical as to how it works, it is probably just a hoax.
–
tpliveOct 20 '14 at 13:32

3 Answers
3

EFS is designed to protect your files based on your password. Therefore if your password is long and complex enough and of course it is only used for login it should be safe.

But usually Windows user passwords are much too short. Unfortunately Windows 7 stores them in special hashed way (NTLMv2) - older versions even in the more unsecure NTLM version. Using current graphic cards as code cracker even NTLMv2 password can broken:

EFS encrypts files using strong encryption stored in certificates in Active Directory. That said, if you use lousy passwords even in AD it's relatively easy to bypass the security. Truecrypt is no more secure, cryptographically.
–
tpliveOct 20 '14 at 13:26

TrueCrypt should give you better security than EFS, and it also offers the same functionality as BitLocker (full disk encryption).

The only downside to TrueCrypt (compared to EFS) is that it does not allow you to encrypt individual files and folders on your hard drive; instead, you create an encrypted volume, either on a disk or within a file on your drive, which you then mount as a separate encrypted volume.

Unfortunately, this is not a Vault-style solution, which means that (just like EFS) once you're logged in, your files are unsecure. TrueCrypt, EFS, and BitLocker do not offer Vault-style security.

Can't really compare Truecrypt/Bitlocker to EFS as they solve different problems altogether. Full-disk encryption is no use when you need two different systems to share files without anyone else being able to decrypt them. We use service-accounts to encrypt in EFS-enabled folders, and only the service-accounts can decrypt on the other server.
–
tpliveOct 20 '14 at 13:28

This is an old question, but I haven't seen the answer I'm about to write.
If your laptop winds up in somebody's hands, they could easily reset your account password or create a new account and just bypass EFS entirely.

There's not much you can do about it on a Windows machine. One could create a live Linux usb, mount your Windows OS partition and replace some processes that run as admin with a cmd. This will, of course, give them a console with admin rights. Even if you password lock your bios, usually it can be easily reset by removing the BIOS battery. And the processes that can be replaced are many, you just have to know which one can run during the login phase.

If you want good encryption and are not afraid to get your hands dirty, you can code it yourself. There are numerous implementations for symmetrical cyphers (AES / DES) or asymmetrical (but you'd have to hide the private key really well) for nearly all programming languages, and it's really easy to recursively traverse a folder and replace files with some data (in this case, the encrypted version of themselves). And I'm sure you could find programs that already do this simple thing, but by coding it yourself you are 100% certain that it doesn't do other stuff.